PT-2026-56234 · 9Router · 9Router
Ductinn
+1
·
Published
2026-07-02
·
Updated
2026-07-07
·
CVE-2026-59800
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
9Router versions prior to 0.4.44
Description
An OS command injection issue exists due to improper access control. The endpoint "/api/tunnel/tailscale-install" does not require authentication because it is missing from the dashboard middleware matcher. A remote unauthenticated attacker can send a POST request containing a
sudoPassword variable in the request body. This value is written to the stdin of a sudo -S sh child process. In environments where the process runs as root, NOPASSWD is configured, or a sudo timestamp cache exists, the sudoPassword value is interpreted and executed as a shell command by sh. This allows for remote code execution as the user running the 9Router process. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).Recommendations
Update 9Router to version 0.4.44 or later.
As a temporary mitigation, restrict access to the "/api/tunnel/tailscale-install" endpoint to prevent unauthenticated remote access.
Exploit
Fix
Missing Authorization
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
9Router